UK ICO Offers Guidance on Back-to-Work Data Privacy Issues

The United Kingdom's Information Commissioners Office has issued guidance for employers on data protection issues related to the return to the workplace as part of the COVID-19 "new normal."

General Principles

Legal Basis

Testing for symptoms is processing of personal data and subject to the General Data Protection Regulation (GDPR).

For private employers, legitimate interests is likely to be the appropriate legal basis for processing

For health data, employers must also identify an Article 9 condition for processing (e.g Article 9(2)(b) - employer's obligations on health and safety).

Data Minimization

For special category data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfill your purpose.

In order to not collect too much data, you must ensure that it is: adequate – enough to properly fulfill your stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – you do not hold more than you need for that purpose.

Transparency

Be clear, open and honest with employees from the start about how and why you wish to use their personal data.

Have clear and accessible privacy information in place for employees, before any health data processing begins.

The ICO recognizes that in some cases it may not be possible to provide detailed informationi in advance.

Data Subject Rights

Ensure that staff are able to exercise their information rights.

Put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis.

For example, setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate.

Employee Testing: Possible, But

Transparency

Be clear about what decisions you will make with that information.

Before carrying out any tests, you should at least let your staff know:

what personal data is required

what it will be used for

who you will share it with

how long you intend to keep the data

If possible, provide employees with the opportunity to discuss the collection of such data if they have any concerns.

Data Protection Impact Assessments (DPIA)

You should conduct a DPIA for the testing. This DPIA should set out:

the activity being proposed

the data protection risks

whether the proposed activity is necessary and proportionate

the mitigating actions that can be put in place to counter the risks
AND

a plan or confirmation that mitigation has been effective

Data Minimization

For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions.

Consider which testing options are available, to ensure that you are only collecting results that are necessary and proportionate.

As an employer, you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.

Temperature Checks/Thermal Cameras: Possible, But

As this is more intrusive technology, give specific thought to the purpose and context of its use and be able to make the case for using it.

Make sure that any monitoring of employees is necessary and proportionate, and in keeping with their reasonable expectations.

Think about whether you can achieve the same results through other, less privacy-intrusive means. If so, then the monitoring may not be considered proportionate.